Sunday, 23 November 2014


CRLF Injection




Introduction

CRLF(Carriage Return Line Feed) Injection is another Web Application Vulnerability which occures due to improper input sanitization in headers fields of a website like, Location, User-agent, Max-Age etc. This vulnerability can cause some highly risky vulnerabilities like XSS, LFI Etc.



Scene Behind CRLF

CR & LF are 2 characters that indicates the end of a line. If we type something in any text Editor and just hit the ENTER key, the Editor automatically adds CR & LF at the End of That Line. as an Example See Below:



Sometimes You might have seen them written like this \r\n, This is Exactly what is CRLF. They are written as %0d%0a also when writing in hex.



Exploitation

Exploiting This Vulnerability is really easy and it has targeted high profile sites like google, yahoo, microsoft Etc. Ummm Let's Take an Example Page and send a request to it Then check the http request and response via Burp suite.




Let's Save and visit this Page via browser. and intercept its http request & response via burp.

Request:



i just forwarded the request and response was something like this.



Then i manipulated the Location Header and replaced Google.com with My Localhost Address Hosted Script. See Below.

Script:



Manipulated Response:



and after clicking forward i just saw that it amazingly redirected me to my localhost script instead of google as mentioned in code. see picture.



so in this way as we can clearly see that we are able to change and manipulate the http response and request using crlf injection. we further can add our own headers and other stuff if input is not being sanitized properly. We Have also an option to Inject CRLF into headers by doing uaing following payload cache-control= private%0d%0aNew-Header:Hacked%0d%0a , soin this way by applying CRLF technique we can inject it.



Remediations

Just sanitize the CRLF characters before they pass from header or also sanitize the encoding formates which let's crlf codes be injected into header.

CRLF Injection - Inject the Headers

  • Uploaded by: Adeel Chaudhary
  • Views:
  • Category:
  • Share

    1 comments:

     
    Copyright © HACK | Designed by Muhammad Adeel | Founder UrduSecurity